Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
29-01-2024 09:57
General
-
Target
7f8b6bfea320f0414a90aca8685e4127.exe
-
Size
183KB
-
MD5
7f8b6bfea320f0414a90aca8685e4127
-
SHA1
00f57008c94feca19fd903f0bcdbe437aa554ba8
-
SHA256
5ba47c52b9f1029e4f602c4cf170d8aeef5bb435405d8559c0ce94b46b1a55b3
-
SHA512
b48c28b1b9d14909f4ec00620c3803c9b07444a62a21c43ac56a1b60485643abe72bc69e73ba8c7b5ff01f8aab3c0980537fd2b995d6f45a97122e4ae952e0c6
-
SSDEEP
3072:yKdAWkTthrHwvxiIe91s+n3p/5e8jR0cTs/w+VLXKr6vkvs9R8igyQfgEOBeOB03:hwQvXoim363/OG58dyQIpX
Score
10/10
Malware Config
Signatures
-
Gh0st RAT payload 7 IoCs
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f8b6bfea320f0414a90aca8685e4127.exe"C:\Users\Admin\AppData\Local\Temp\7f8b6bfea320f0414a90aca8685e4127.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\XXXXXX7A3F0DDD\JH.BAT2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn * /f3⤵
-
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"4⤵
-
-
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto3⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\at.exeAt 0:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 1:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 2:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 3:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 4:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 5:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 6:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 7:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 8:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 9:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 10:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 11:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 12:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 13:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 14:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 15:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 16:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 17:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 18:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 19:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 20:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 21:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 22:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 23:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
C:\Windows\SysWOW64\at.exeAt 24:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe3⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {70DD2379-2B5A-42C4-BDC1-C350EFEF3C52} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\XXXXXX7A3F0DDD\svchsot.exeC:\Windows\XXXXXX7A3F0DDD\svchsot.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\XXXXXX7A3F0DDD\JH.BAT3⤵
-
C:\Windows\SysWOW64\sc.exesc config Schedule start= auto4⤵
- Launches sc.exe
-
-
C:\Windows\SysWOW64\at.exeAt 1:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 2:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 0:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 3:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 4:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 5:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\net.exenet start "Task Scheduler"4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 6:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 7:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 8:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 9:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 11:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 13:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 14:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 16:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 17:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 18:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 19:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 20:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 22:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 23:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 24:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 21:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 15:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 12:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
C:\Windows\SysWOW64\at.exeAt 10:00 C:\Windows\XXXXXX7A3F0DDD\svchsot.exe4⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn * /f1⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start "Task Scheduler"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD534f391f0fecabdb0b1c7dcf94b63d9bd
SHA1755744fcbae194ee4c2543be99bde9ad9eb4edeb
SHA2564895989db870b44359e792deb72fcb91040cf221706b9afee877ac0d7a632315
SHA512be0434caf6367fc3df4acffb129a10767b6abea1e9fbfcedf8bab754afc81db5b700ae0ef22a55b35e1e0e309ffa4ca3a5862deedc9897bdb54c32da82035507
-
Filesize
183KB
MD57f8b6bfea320f0414a90aca8685e4127
SHA100f57008c94feca19fd903f0bcdbe437aa554ba8
SHA2565ba47c52b9f1029e4f602c4cf170d8aeef5bb435405d8559c0ce94b46b1a55b3
SHA512b48c28b1b9d14909f4ec00620c3803c9b07444a62a21c43ac56a1b60485643abe72bc69e73ba8c7b5ff01f8aab3c0980537fd2b995d6f45a97122e4ae952e0c6
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB